Being dropped in to a networking job

[Windrunner]

Hi guys!

I have a family member that is about to go in to private practice with a few other doctors. I don't have great information as to their specific requirements yet, but I do know that H patient confidentiality has to be protected - and I know that it is likely their offices will be broken in to. They will not leave any computer equipment (barring router and modem) at their practice overnight.

So, my first challenge is figuring out how to network systems using an off-site server. It needs to be done cheaply, and the server needs to have everything encrypted to heck 'n back until it ain't even funny!

I have a few ideas about what to do (Server 2008 R2 w/ FDE of some sort, built in Windows VPN protocols, Office 2010 compatible groupware) but I'm clueless about what kinds of services I can requisition from 'cloud' providers that will be HIPAA compliant. (In fact, IT HIPAA compliance is something I'm not certain about beyond 'Encrypt everything, everywhere', but I am NOT being asked to verify HIPAA compliance, getting them started won't hurt though)

So, what direction should I be thinking in?

[no2guncntrl]

I have zero knowledge regarding anything like keeping privacy just that,
but a Mod suggested using a program called SyperOak.com for secure
business. Might his help ?

[Windrunner]

https://spideroak.com/ This?

It's cool, I'll have to look in to it! Thanks!

[Bryan]

Make sure to read up on HIPPA and look into the liability involved. Having computers offsite introduces major issues for securing sensitive information.

[Windrunner]

Yeah, I'm actually backing off there. I've stated that the server needs to be on site in a physically secured room OR that the server needs to be hand carried on/off site on a daily basis.

They'll have to sign saying they're accepting HIPAA liability, especially with any specialty needs.

My biggest question right now is on the definition of physically secure. How do I physically secure a server? Is there an easy definition of 'physically secure' that is reasonable for a small practice? What if I took a large safe tied in to studs/foundation and stuck the server machine in it, then bored a few holes for a water cooling radiator and wiring? ( )

[Bryan]

Disconnecting a server and putting it into a safe introduces its own issues, for starters the server would be easily portable which is security risk in its own right.

A secure room is an area that limits access through its location, design and through policy.

An example is using an area with four concrete walls, with a strong door as well as bolt lock and requiring anyone entering the area to be accompanied by a designated contact person. ( Can also use cage instead of concrete walls depending on building design.)

Also a good idea to make sure the server enclosure is lockable and to at minimum use intrusion alarms on the server cabinet and door. ( Cameras are also useful depending on budget.)

Another hint, don't leave equipment on the floor. Keep it about waist height if possible, nothing worse then a flood to damage your equipment.

As with anything like this, also go over the HIPPA and check to see if it references other policies as well.

[Yeah]

Hi guys!

****SNIP - and I know that it is likely their offices will be broken in to. They will not leave any computer equipment (barring router and modem) at their practice overnight.

******SNAP
So, what direction should I be thinking in?

The first part of your paragraph scares me a little- you are sure they will be broken into because of....

-bad neighborhood?

-someone is going to be after the data you keep on the server?

-retaliation from previous employment?

The answer to the questions above might change how I think about securing my server.

You want to know the space you have available to you, A large closet space with NO duct work and its own (window) ac would be perfect.

I work in (physical security) at a large company. Our servers are behind access secure doors.

How you access to the workplace may help decide how you want to secure the server.

Cameras are always nice and you can probably buy some good ol' tape backup VCR's for cheap now. Or go the DVR route.

I would pressure you away from Win Server 2008 R2 as their native backup system will not backup data of more than 2 terra. A problem we ran into when changing over our video system to a server type and wanted to back up the video data.

Interesting thread.. keep us posted will be fun to discuss.

[Windrunner]

Whoa @ concrete + cages. This is just a small healthcare practice that will be exempt from some of HIPAA's provisions as long as they follow best practices.

They've said they might get in to a place that wouldn't be broken in to, but since this is a clinic that will service a poor part of the community, any break-ins would be a 'take anything that looks valuable' and das blinkenlights tend to impress, therefore das blinkenlights will be protected.

Any other physical risks to the server would be someone in the office messing around with it and not knowing what they're doing - a situation I'll mitigate by running it headless.

Are we talking about 2 terabytes a file, or 2 terabytes total? By the time they're ready to use a dedicated backup program I'd be willing to run a Linux VM in Hyper-V to manage their backup drives - if there were limitations in Server 2008 R2's backups. I can't imagine them using 2 terabytes of space.

Active Directory is also sounding much better than Samba - which breaks on my CentOS machine if there isn't a clean shutdown. I'm also more proficient in Windows than I am Linux. Unless there's a distro that comes stuffed ready to run Windows' groupware/networking/VPN-ing stuff, I really want to stick with what I know they're not going to have problems with.

However, managing CALs sounds like a pain in the butt and it might be worth it to them to avoid the costs of Windows Server for Linux. What distros should I be looking at?

As far as cameras go, this will be a mental health care practice. No can do.

[Bryan]

Can you give us an idea of what the construction of the building is like?

Cameras would only be for the area used for the equipment, would be placed only for the area access and equipment access.

At any rate it shouldn't be an area with patient traffic in the first place as that presents a risk in itself.

Headless won't fully mitigate things, people have a tendency to pull wires their not supposed to touch in the first place.

Also its not just the blinky stuff people try to take, for example copper in wires / pipes are a big ticket item now.

The reference to concrete walls was already in place with construction, the cage is for locations where that isn't feasible. Cages can be pretty small, like the size of a closest but are useful for preventing access to equipment.

[Windrunner]

They haven't rented it yet. At this point they're considering renting space in a medical building (which would be perfect) and other locations which would be not-so-perfect.

So putting in an equipment cage is likely an option. A camera would be an option if it was kept in the actual equipment room.

But regardless it looks like it's going to cost them a bit, so at the outset they're going to have to deal with Windows File Shares for confidential documents, and Dropbox otherwise.


What's out there for internet gateways with VPN functionality for ~10 users at once? I'm reading recommendations that HIPAA allows for wireless networks if only the endpoints are ever able to decrypt information, and VPNing to a local gateway was suggested in one of the articles I read.